CVE-2026-24392
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in HurryTimer ≀ 2.14.2 Enables Persistent Script Injection

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24392
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nabil_lemsieh hurrytimer to 2.14.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24392 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress HurryTimer Plugin versions up to and including 2.14.2.

This vulnerability allows a malicious actor to inject harmful scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into a website, which execute when visitors access the site.

The issue is classified under OWASP Top 10 category A3: Injection and has a CVSS severity score of 5.9, indicating a moderate risk level.

Exploitation requires user interaction by a privileged user (such as an author or developer) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can allow attackers to inject malicious scripts into your website, which can execute when visitors access the site.'}, {'type': 'list_item', 'content': 'Attackers could redirect users to malicious sites.'}, {'type': 'list_item', 'content': 'Attackers could display unwanted advertisements or other harmful HTML content.'}, {'type': 'paragraph', 'content': "Such actions can harm your website's reputation, compromise user trust, and potentially lead to further security issues."}, {'type': 'paragraph', 'content': 'However, exploitation requires interaction by a privileged user, which limits the likelihood and impact.'}] [1]

Compliance Impact

I don't know

Detection Guidance

Detection of this Cross Site Scripting (XSS) vulnerability in the HurryTimer WordPress plugin involves identifying if the plugin version is 2.14.2 or earlier, as these versions are vulnerable.

Since the vulnerability requires user interaction and involves injection of malicious scripts, one way to detect it is by scanning for suspicious script injections or unusual HTML payloads in the web pages generated by the plugin.

Specific commands are not provided in the available resources, but common approaches include:

  • Checking the installed plugin version via WP-CLI: `wp plugin list` to verify if HurryTimer is installed and its version.
  • Using web vulnerability scanners or XSS detection tools to scan the website for stored XSS payloads.
  • Manually reviewing input fields and stored content generated by HurryTimer for suspicious scripts.
Mitigation Strategies

The immediate and recommended mitigation step is to update the HurryTimer WordPress plugin to version 2.14.3 or later, where this vulnerability has been patched.

Additionally, enabling the Patchstack auto-update feature for plugins can help ensure rapid protection against this and other vulnerabilities.

Until the update is applied, limiting privileged user interactions with untrusted content and monitoring for suspicious activity can reduce exploitation risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart